detecting prefix hijackings in the internet with argus€¦ · detecting prefix hijackings in the...

2012/11/14 IMC12@Boston 1

Detecting Prefix Hijackings in the Internet with ArgusXingang Shi Yang Xiang Zhiliang Wang

Xia Yin Jianping Wu

Tsinghua University

2012/11/14 IMC12@Boston 2

Outline• Introduction

– Prefix Hijacking– Existing Detection Methods

• Argus– Key Observation & Algorithm– System Architecture & Implementation

• Internet Monitoring Practice– Evaluation– Statistics– Case Studies

• Conclusion

2012/11/14 IMC12@Boston 3

Internet

4

5

1 7

28

3

< … >AS-path of f

f

BGP UPDATE

6

Inter-domain Routing

<1 7> <7>

2012/11/14 IMC12@Boston 4

Internet

4

5

1 7

28

3

< … >AS-path of f

f

BGP UPDATE

6

Hijacking UPDATE

Prefix Hijacking

<8>

<1 7>

2012/11/14 IMC12@Boston 5

Black-holing Hijackings• Packets dropped by the attacker

• Also caused by unintentional mis-configurations– 2010, China Tele. hijacked 15% of Internet(prefixes)– 2008, Pakistan Tele. hijacked Youtube for 2 hours

2012/11/14 IMC12@Boston 6





• Conclusion

2012/11/14 IMC12@Boston 7

Challenges of Hijacking DetectionHijacking can pollute a large number of ASesin several seconds!

Real systemor service

Monitoring the whole Internet

Multi-homing, TE, BGP anycast, Backup links, Route failure, Policy change

shortdelay

high accuracy

easy todeploy

high scalability

attacker’s info

sub-prefix hijacking

2012/11/14 IMC12@Boston 8

Our ApproachShort delay

High accuracy

Easy to deploy

High scalability

Attacker’s info

Sub-prefix hijacking

Short delay

High accuracy

Easy to deploy

High scalability

Attacker’s info


Short delay

High accuracy

Easy to deploy

High scalability

Attacker’s info


Short delay

High accuracy

Easy to deploy

High scalability

Attacker’s info


Controlplane

Dataplane

Hybrid Correlation Argus

2012/11/14 IMC12@Boston 9





• Conclusion

2012/11/14 IMC12@Boston 10

Key Observations: Relationship between Control and Data Plane

• Only part of the Internet is polluted• Distinguishable from other route events

(d) hijacking

Probe with reply

Probe without reply

AffectedAS

(c) route migration

(b) routefailure

NormalAS

(a) multi-origin, traffic engineering

2012/11/14 IMC12@Boston 11

Status Matching• Eyes of Argus: public route-servers, looking-glasses

– Simple & fast commands: show ip bgp, ping• Eyej at time t

• Control plane Ctj : not affected by the anomalous route?• Data plane Dtj : live IP in the corresponding prefix can be reached?• correlation coefficient of D and C – Raise an alarm if Ft > µ

, ,1

2 2, ,

1 1

[( )( )]

( ) ( )

N

t j t t j tj

t N N

t j t t j tj j

C C D DF

C C D D

=

= =

− −

=

− × −

∑

∑ ∑

Fingerprint of a route event:

2012/11/14 IMC12@Boston 12

Identification of Prefix Hijacking

• Prefix hijacking: Ftà1.0, (Ft >= threshold μ)

Prefixhijacking

Routemigration

-1Fingerprint Ft

0 1

1Reachability DtTE,

Multi-homing,Anycast,

…

Route failure, Firewall,

Inactive host,…

2012/11/14 IMC12@Boston 13

Type of Anomalies

• AS-path p = <an , … , ai+1 , ai , ai-1 , … , a0>– OA: Origin Anomaly

• Anomalous origin AS: pa = <a0 , f >– AA: Adjacency Anomaly

• Anomalous AS pair in AS-path: pa = <aj , aj-1>– PA: Policy Anomaly

• Anomalous AS triple in AS-path: pa = <aj+1 , aj , aj-1>

〈1〉

Normal UPDATEHijacking UPDATE

〈3,1〉

OA: Origin Anomaly AA: Adjacency Anomaly PA: Policy Anomaly

〈4,3,2,1〉

〈3〉

attacker3

42

1victim

Customer-ProviderPeer-PeerNormal AS

f〈3,2,1〉〈1〉

attacker3

42

1victimf

〈1〉

attacker

42

1victimf

Polluted AS

f 3

2012/11/14 IMC12@Boston 14





• Conclusion

2012/11/14 IMC12@Boston 15

Architecture of Argus

InternetArgus

BGPmon

live BGP feedParse

CAIDAiPlane

daily tracerouteLive IP

Candidates

Origin ASesAS pairs

AS triplesDetect

Extract

...

VictimPrefix f

... Eyes of Argus:public route-servers &

looking-glasses

Identify

Hijacking Alarm

OA / AA / PAPrefix f, Anomaly pa

Live IPi in f

Stat.ping

show ip bgp

FingerprintTest

Anomaly Monitoring Module

Live-IP Retrieving Module

Hijacking Identification Module

2012/11/14 IMC12@Boston 16

System Deployment• From May 2011, launched >1 years• Live BGP feed collected from ~130 peers

– BGPmon: http://bgpmon.netsec.colostate.edu/– 10GB BGP UPDATE /day, 20Mbps peak

• 389 eyes, in 41 transit AS

• Online notification services– (AS-4847) Mailing list– (AS-13414, AS-35995) Twitter– (AS-4538) Website, web service APIs

2012/11/14 IMC12@Boston 17





• Conclusion

2012/11/14 IMC12@Boston 18

Argus is Online• 40k anomalous route events• 220 stable hijackings

– Duration of Ft>=µ in more than T seconds– µ: fingerprint threshold of hijacking(0.6)– T: duration threshold of stable hijacking(10sec)

Fingerprint (Ft) distribution of all stable hijackings.

2012/11/14 IMC12@Boston 19

False Positive• Directly contact network operators (March-April, 2012)

– 10/31 confirmed our hijacking alarms– No objection

• ROA: Route Origin Authorization– 266 anomalies with ROA records– False positive 0%

(µ=0.6, T=10, #eyes=40)

• IRR: Internet Routing Registry– 3988 anomalies with IRR records– False positive 0.2%

(µ=0.6, T=10 , #eyes=40)

2012/11/14 IMC12@Boston 20

Delay-220 Stable hijackings• Detection delay

– 60% less than 10 seconds

• Identification delay– 80% less than 10 seconds– 50% less than 1 second

First anomalous UPDATE

Firstpolluted

eye

First alarm(Ft ≥ µ)

identification delay

detection delay

time

2012/11/14 IMC12@Boston 21





• Conclusion

2012/11/14 IMC12@Boston 22

Statistics - Overview

• Adjacency/Policy based hijacking do exists

Weekly # of stable hijackings.

Total OA(origin AS)

AA(Adjacency)

PA(Policy)

Anomalies 40k 20k 6.7k 13.3kHijackings 220 122 71 27

Total # of route anomalies and stable hijackings in one year.

2012/11/14 IMC12@Boston 23

Statistics - Hijacking duration

• Stable hijacking duration: live time of anomalous route– 20+% hijackings last <10 minutes– Long hijackings also exist

2012/11/14 IMC12@Boston 24

Statistics - Prefix length• Stable hijackings with most specific prefix

– 91% hijacked prefixes are most specific– 100% hijacked prefixes with length <= 18 are most specific

• 10% stable hijackings are sub-prefix hijacking

2012/11/14 IMC12@Boston 25

Statistics - Pollution scale

• 20% stable hijackings could pollute 80+ transit ASes

2012/11/14 IMC12@Boston 26

Statistics - Pollution speed

• 20+ transit ASes are polluted in 2 minutes

• For hijackings polluted 80+ transit ASes– 50% Internet are polluted within 20 seconds– 90% Internet are polluted within 2 minutes

2012/11/14 IMC12@Boston 27





• Conclusion

2012/11/14 IMC12@Boston 28

Case Studies• OA hijackings (confirmed by email)

– Missing route filters– Network maintenance misplay– Premature migration attempt– Sub-prefix hijacking

• AA hijackings (confirmed by email)– Mis-configuration in TE– AS-path poisoning experiment

• PA hijackings (verified in IRR)– Import policy violation– Export policy violation

2012/11/14 IMC12@Boston 29

OA Hijackings

• Missing route filters

• Networkmaintenance misplay

Time Prefix Normal Origin Anomalous Origin Duration DelayNov. 27, 2011 166.111.32.0/24, … AS-4538

CERNET, CNAS-23910

CERNET-2, CN10+ sec 10 sec

Mar. 20, 2012 193.105.17.0/24 AS-50407Douglas, DE

AS-15763DOKOM, DE

12 min 5 sec

2012/11/14 IMC12@Boston 30

OA Hijackings

• Prematuremigration attempt

• Sub-prefix hijacking

Time Prefix Normal Origin Anomalous Origin Duration DelayApr. 04, 2012 91.217.242.0/24 AS-197279

WizjaNet, PLAS-48559Infomex, PL

17 min 9

Mar. 22, 2012 12.231.155.0/24(in 12.128.0.0/9)

AS-7018AT&T, US

AS-13490Buckeye, US

16 min 7

2012/11/14 IMC12@Boston 31

AA Hijackings

• Mis-configuration in TE– AS-38794 (BB-Broadband, TH) is a new provider

of AS-24465 (Kasikorn, TH)

• AS-path poisoning experiment [SIGCOMM ’12]– BBN announces loop AS-paths <47065, x, 47065>

for experimental purpose

Time Prefix AS-path DelayApr. 12, 2012 210.1.38.0/24 <3043 174 38082 3879424465> 12Mar. 31, 2012 184.464.255.0/24 <4739 6939 2381 47065 19782 47065> 4

2012/11/14 IMC12@Boston 32

PA Hijackings

• Import policy violation

• Export policy violation

Time Prefix AS-path DelayApr. 19, 2012 77.223.240.0/22 <4739 24709 25388 21021 12741 47728> 9Apr. 16, 2012 195.10.205.0/24 <3043 174 20764 314843267 3216 35813> 5

IRR info. ofAS-21021

(Multimedia, PL) :

IRR info. ofAS-31484

(OOO Direct Tele., RU):

2012/11/14 IMC12@Boston 33

Non-hijacking Anomalies• TE using BGP anycast

– 193.0.16.0/24 (DNS root-k) suddenly originatedby AS-197000 (RIPE)

– Ftà0, Dt = 1• TE with backup links

– AS-12476 (Aster, PL)announced prefix to a new provider AS-6453 (Tata, CA)

– Ftà0, Dt = 1• Route migration

– Prefix owmer changed fromAS-12653 (KB Impuls, GR) toAS-7700 (Singapore Tele)

– Ftà-1

2012/11/14 IMC12@Boston 34





• Conclusion

2012/11/14 IMC12@Boston 35

Conclusion of Our Contributions

Arugs

Short delay

High accuracy

Easy to deploy

High scalability

Attacker’s info


• 80% delay <10 seconds• 20% stable hijackings last <10

minutes, some can pollute 90% Internet in <2 minutes

• OA, AA, PA anomalies• ROA, IRR, email confirmation

• show ip bgp, ping• Public available

external resources

• Anomaly driven probing

• Monitoring the whole Internet

• Live BGP feed from BGPmon• Victims can be noticed

through several channels

• 10% stable hijackings aresub-prefix hijacking

One year’s Internet detection practice.

detecting prefix hijackings in the internet with argus€¦ · detecting prefix hijackings in the...

Documents